Also don't allow index buffers in ram without robust access

Author: danielkeller

demo/src/main.rs

@@ -638,7 +638,7 @@ fn main() -> anyhow::Result<()> {
         });
         subpass.bind_pipeline(&pipeline);
         subpass.bind_vertex_buffers(0, &[(&vertex_buffer, 0)])?;
-        subpass.bind_index_buffer(&index_buffer, 0, vk::IndexType::UINT16);
+        subpass.bind_index_buffer(&index_buffer, 0, vk::IndexType::UINT16)?;
         subpass.bind_descriptor_sets(
             vk::PipelineBindPoint::GRAPHICS,
             &pipeline_layout,

src/buffer.rs

@@ -56,8 +56,8 @@ impl BufferWithoutMemory {
 }
 impl Buffer {
     // TODO: Bulk bind
-    /// Note that it is an error to bind a storage buffer to host-visible memory
-    /// when robust buffer access is not enabled.
+    /// Note that it is an error to bind a storage, uniform, vertex, or index
+    /// buffer to host-visible memory when robust buffer access is not enabled.
     #[doc = crate::man_link!(vkBindBufferMemory)]
     pub fn new(
         buffer: BufferWithoutMemory, memory: &DeviceMemory, offset: u64,
@@ -128,9 +128,9 @@ impl BufferWithoutMemory {
         self.handle.borrow_mut()
     }
     /// If [`BufferCreateInfo::usage`] includes an abritrarily indexable buffer
-    /// usage type (uniform, storage, or vertex) and the robust buffer access
-    /// feature was not enabled at device creation, any host-visible memory
-    /// types will be removed from the output. Note that on
+    /// usage type (uniform, storage, vertex, or index) and the robust buffer
+    /// access feature was not enabled at device creation, any host-visible
+    /// memory types will be removed from the output. Note that on
     /// some physical devices (eg software rasterizers), *all* memory types are
     /// host-visible.
     ///
@@ -154,7 +154,7 @@ impl BufferWithoutMemory {
         result
     }
     /// Allocate a single piece of memory for the buffer and bind it. Note that
-    /// it is an error to bind a uniform, storage, or vertex buffer to
+    /// it is an error to bind a uniform, storage, vertex, or index buffer to
     /// host-visible memory when robust buffer access is not enabled.
     pub fn allocate_memory(
         self, memory_type_index: u32,

src/command_buffer/bind.rs

@@ -73,11 +73,12 @@ impl<'a> RenderPassRecording<'a> {
         self.rec.bind_vertex_buffers(first_binding, buffers_offsets)
     }
     /// Reference count of `buffer` is incremented. Returns
-    /// [`Error::InvalidArgument`] if `buffers_offsets` is empty.
+    /// [`Error::InvalidArgument`] if `buffer` does not have the `INDEX_BUFFER`
+    /// usage flag.
     #[doc = crate::man_link!(vkCmdBindIndexBuffer)]
     pub fn bind_index_buffer(
         &mut self, buffer: &Arc<Buffer>, offset: u64, index_type: IndexType,
-    ) {
+    ) -> Result<()> {
         self.rec.bind_index_buffer(buffer, offset, index_type)
     }
 }
@@ -92,11 +93,12 @@ impl<'a> SecondaryCommandRecording<'a> {
         self.rec.bind_vertex_buffers(first_binding, buffers_offsets)
     }
     /// Reference count of `buffer` is incremented. Returns
-    /// [`Error::InvalidArgument`] if `buffers_offsets` is empty.
+    /// [`Error::InvalidArgument`] if `buffer` does not have the `INDEX_BUFFER`
+    /// usage flag.
     #[doc = crate::man_link!(vkCmdBindIndexBuffer)]
     pub fn bind_index_buffer(
         &mut self, buffer: &Arc<Buffer>, offset: u64, index_type: IndexType,
-    ) {
+    ) -> Result<()> {
         self.rec.bind_index_buffer(buffer, offset, index_type)
     }
 }
@@ -113,9 +115,6 @@ impl<'a> CommandRecording<'a> {
                 return Err(Error::InvalidArgument);
             }
         }
-        for &(buffer, _) in buffers_offsets {
-            self.add_resource(buffer.clone());
-        }
         let buffers = self.scratch.alloc_slice_fill_iter(
             buffers_offsets.iter().map(|&(b, _)| b.handle()),
         );
@@ -132,14 +131,21 @@ impl<'a> CommandRecording<'a> {
                 Array::from_slice(offsets).ok_or(Error::InvalidArgument)?,
             )
         }
+        for &(buffer, _) in buffers_offsets {
+            self.add_resource(buffer.clone());
+        }
         Ok(())
     }
     /// Reference count of `buffer` is incremented. Returns
-    /// [`Error::InvalidArgument`] if `buffers_offsets` is empty.
+    /// [`Error::InvalidArgument`] if `buffer` does not have the `INDEX_BUFFER`
+    /// usage flag.
     #[doc = crate::man_link!(vkCmdBindIndexBuffer)]
     pub fn bind_index_buffer(
         &mut self, buffer: &Arc<Buffer>, offset: u64, index_type: IndexType,
-    ) {
+    ) -> Result<()> {
+        if !buffer.usage().contains(BufferUsageFlags::INDEX_BUFFER) {
+            return Err(Error::InvalidArgument);
+        }
         self.add_resource(buffer.clone());
         unsafe {
             (self.pool.device.fun.cmd_bind_index_buffer)(
@@ -149,6 +155,7 @@ impl<'a> CommandRecording<'a> {
                 index_type,
             )
         }
+        Ok(())
     }
 }
 

src/command_buffer/draw.rs

@@ -12,6 +12,7 @@ use crate::ffi::Array;
 use crate::render_pass::RenderPass;
 use crate::subobject::Owner;
 use crate::types::*;
+use crate::vk::BufferUsageFlags;
 
 use super::{
     Bindings, CommandRecording, ExternalRenderPassRecording,
@@ -216,6 +217,24 @@ impl<'a> SecondaryCommandRecording<'a> {
         self.rec.draw_indexed_indirect(buffer, offset, draw_count, stride)
     }
 }
+
+fn bounds_check_n(
+    count: u32, size: u32, mut stride: u32, buf: &Arc<Buffer>, offset: u64,
+) -> Result<()> {
+    if count < 2 {
+        stride = size;
+    }
+    if stride < size || offset & 3 != 0 {
+        return Err(Error::InvalidArgument);
+    }
+    let len =
+        (count as u64).checked_mul(stride as u64).ok_or(Error::OutOfBounds)?;
+    if !buf.bounds_check(offset, len) {
+        return Err(Error::OutOfBounds);
+    }
+    Ok(())
+}
+
 impl<'a> CommandRecording<'a> {
     fn draw(
         &mut self, vertex_count: u32, instance_count: u32, first_vertex: u32,
@@ -237,6 +256,10 @@ impl<'a> CommandRecording<'a> {
         &mut self, buffer: &Arc<Buffer>, offset: u64, draw_count: u32,
         stride: u32,
     ) -> Result<()> {
+        if !buffer.usage().contains(BufferUsageFlags::INDIRECT_BUFFER) {
+            return Err(Error::InvalidArgument);
+        }
+        bounds_check_n(draw_count, 16, stride, buffer, offset)?;
         self.graphics.check()?;
         self.add_resource(buffer.clone());
         unsafe {
@@ -271,6 +294,10 @@ impl<'a> CommandRecording<'a> {
         &mut self, buffer: &Arc<Buffer>, offset: u64, draw_count: u32,
         stride: u32,
     ) -> Result<()> {
+        bounds_check_n(draw_count, 20, stride, buffer, offset)?;
+        if !buffer.usage().contains(BufferUsageFlags::INDIRECT_BUFFER) {
+            return Err(Error::InvalidArgument);
+        }
         self.graphics.check()?;
         self.add_resource(buffer.clone());
         unsafe {

src/enums.rs

@@ -283,13 +283,9 @@ bitflags! {
 impl BufferUsageFlags {
     /// Does the usage support arbitrary indexing?
     pub fn indexable(self) -> bool {
-        self.intersects(
-            Self::STORAGE_TEXEL_BUFFER
-                | Self::STORAGE_BUFFER
-                | Self::UNIFORM_TEXEL_BUFFER
-                | Self::UNIFORM_BUFFER
-                | Self::VERTEX_BUFFER,
-        )
+        let allowed =
+            Self::TRANSFER_SRC | Self::TRANSFER_DST | Self::INDIRECT_BUFFER;
+        !allowed.contains(self)
     }
 }
 

src/image.rs

@@ -102,6 +102,8 @@ impl ImageWithoutMemory {
     }
 }
 impl Image {
+    /// Note that it is an error to bind a storage image to
+    /// host-visible memory when robust buffer access is not enabled.
     #[doc = crate::man_link!(vkBindImageMemory)]
     pub fn new(
         image: ImageWithoutMemory, memory: &DeviceMemory, offset: u64,

src/types.rs

@@ -1464,6 +1464,8 @@ pub struct AttachmentReference {
 
 #[repr(C)]
 #[derive(Debug)]
+/// Create with
+/// [`vk::SubpassDescription::try_into`](SubpassDescription).
 #[doc = crate::man_link!(VkSubpassDescription)]
 pub struct VkSubpassDescription<'a> {
     flags: SubpassDescriptionFlags,